§ 2435 - Notice of security breaches
§ 2435. Notice of security breaches
(a) This section shall be known as the Security Breach Notice Act.
(b) Notice of breach.
(1) Except as set forth in subsection (d) of this section, any data collector that owns or licenses computerized personal information that includes personal information concerning a consumer shall notify the consumer that there has been a security breach following discovery or notification to the data collector of the breach. Notice of the breach shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of the law enforcement agency, as provided in subdivision (3) of this subsection, or with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.
(2) Any data collector that maintains or possesses computerized data containing personal information of a consumer that the business does not own or license or any data collector that conducts business in Vermont that maintains or possesses records or data containing personal information that the data collector does not own or license shall notify the owner or licensee of the information of any security breach immediately following discovery of the breach, consistent with the legitimate needs of law enforcement as provided in subdivision (3) of this subsection.
(3) The notice required by this subsection shall be delayed upon request of a law enforcement agency. A law enforcement agency may request the delay if it believes that notification may impede a law enforcement investigation, or a national or homeland security investigation or jeopardize public safety or national or homeland security interests. In the event law enforcement makes the request in a manner other than in writing, the data collector shall document such request contemporaneously in writing, including the name of the law enforcement officer making the request and the officer's law enforcement agency engaged in the investigation. A law enforcement agency shall promptly notify the data collector when the law enforcement agency no longer believes that notification may impede a law enforcement investigation, or a national or homeland security investigation or jeopardize public safety or national or homeland security interests. The data collector shall provide notice required by this section without unreasonable delay upon receipt of a written communication, which includes facsimile or electronic communication, from the law enforcement agency withdrawing its request for delay.
(4) The notice shall be clear and conspicuous. The notice shall include a description of the following:
(A) The incident in general terms.
(B) The type of personal information that was subject to the unauthorized access or acquisition.
(C) The general acts of the business to protect the personal information from further unauthorized access or acquisition.
(D) A toll-free telephone number that the consumer may call for further information and assistance.
(E) Advice that directs the consumer to remain vigilant by reviewing account statements and monitoring free credit reports.
(5) For purposes of this subsection, notice to consumers may be provided by one of the following methods:
(A) Direct notice to consumers, which may be by one of the following methods:
(i) Written notice mailed to the consumer's residence;
(ii) Electronic notice, for those consumers for whom the data collector has a valid e-mail address if:
(I) the data collector does not have contact information set forth in subdivisions (i) and (iii) of this subdivision (5)(A), the data collector's primary method of communication with the consumer is by electronic means, the electronic notice does not request or contain a hypertext link to a request that the consumer provide personal information, and the electronic notice conspicuously warns consumers not to provide personal information in response to electronic communications regarding security breaches; or
(II) the notice provided is consistent with the provisions regarding electronic records and signatures for notices as set forth in 15 U.S.C. § 7001; or
(iii) Telephonic notice, provided that telephonic contact is made directly with each affected consumer, and the telephonic contact is not through a prerecorded message.
(B) Substitute notice, if the data collector demonstrates that the cost of providing written or telephonic notice, pursuant to subdivision (A)(i) or (iii) of this subdivision (5), to affected consumers would exceed $5,000.00 or that the affected class of affected consumers to be provided written or telephonic notice, pursuant to subdivision (A)(i) or (iii) of this subdivision (5), exceeds 5,000, or the data collector does not have sufficient contact information. Substitute notice shall consist of all of the following:
(i) conspicuous posting of the notice on the data collector's website page if the data collector maintains one; and
(ii) notification to major statewide and regional media.
(c) In the event a data collector provides notice to more than 1,000 consumers at one time pursuant to this section, the data collector shall notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. § 1681a(p), of the timing, distribution, and content of the notice. This subsection shall not apply to a person who is licensed or registered under Title 8 by the department of banking, insurance, securities, and health care administration.
(d)(1) Notice of a security breach pursuant to subsection (b) of this section is not required if the data collector establishes that misuse of personal information is not reasonably possible and the data collector provides notice of the determination that the misuse of the personal information is not reasonably possible pursuant to the requirements of this subsection. If the data collector establishes that misuse of the personal information is not reasonably possible, the data collector shall provide notice of its determination that misuse of the personal information is not reasonably possible and a detailed explanation for said determination to the Vermont attorney general or to the department of banking, insurance, securities, and health care administration in the event that the data collector is a person or entity licensed or registered with the department under Title 8 or this title. The data collector may designate its notice and detailed explanation to the Vermont attorney general or the department of banking, insurance, securities, and health care administration as "trade secret" if the notice and detailed explanation meet the definition of trade secret contained in subdivision 317(c)(9) of Title 1.
(2) If a data collector established that misuse of personal information was not reasonably possible under subdivision (1) of this subsection, and subsequently obtains facts indicating that misuse of the personal information has occurred or is occurring, the data collector shall provide notice of the security breach pursuant to subsection (b) of this section.
(e) Any waiver of the provisions of this subchapter is contrary to public policy and is void and unenforceable.
(f) A financial institution that is subject to the following guidances, and any revisions, additions, or substitutions relating to said interagency guidance shall be exempt from this section:
(1) The Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice, issued on March 7, 2005, by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision; or
(2) Final Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice, issued on April 14, 2005, by the National Credit Union Administration.
(g) Enforcement.
(1) With respect to all data collectors and other entities subject to this subchapter, other than a person or entity licensed or registered with the department of banking, insurance, securities, and health care administration under Title 8 or this title, the attorney general and state's attorney shall have sole and full authority to investigate potential violations of this subchapter and to enforce, prosecute, obtain and impose remedies for a violation of this subchapter or any rules or regulations made pursuant to this chapter as the attorney general and state's attorney have under chapter 63 of this title. The attorney general may refer the matter to the state's attorney in an appropriate case. The superior courts shall have jurisdiction over any enforcement matter brought by the attorney general or a state's attorney under this subsection.
(2) With respect to a data collector that is a person or entity licensed or registered with the department of banking, insurance, securities, and health care administration under Title 8 or this title, the department of banking, insurance, securities and health care administration shall have the full authority to investigate potential violations of this subchapter and to prosecute, obtain, and impose remedies for a violation of this subchapter or any rules or regulations adopted pursuant to this subchapter, as the department has under Title 8 or this title or any other applicable law or regulation.
Subsection (h) repealed effective June 30, 2012; see note set out below.(h) Vermont law enforcement agencies, including the department of public safety, shall not be considered a data collector. Except as provided in subdivisions (b)(2) and (b)(3) of this section, Vermont law enforcement agencies, including the department of public safety, shall be exempt from this subchapter. (Added 2005, No. 162 (Adj. Sess.), § 1, eff. Jan. 1, 2007.)